Jigsaw Ransomware Resurfaces as Bitcoin Stealer

Security researchers uncovered that a version of Jigsaw, an old ransomware, has resurfaced as a bitcoin stealer. This iteration of Jigsaw (detected by Trend Micro as RANSOM_JIGSAW.THGBDAH) is also known as BitcoinStealer through strings embedded in the malware’s code. The malware steals the contents of the victim’s bitcoin wallet by using an open-source command-line tool (VanityGen) to modify the victim’s bitcoin address to divert its contents to the cybercriminal’s account.

The subtle modification can mislead victims into thinking that the cybercriminal and victim’s bitcoin addresses are similar. It does this by using VanityGen to alter the bitcoin address in clipboards.

According to the researchers, the cybercriminals have already netted 8.4 bitcoins (US$66,807 as of July 24, 2018) using the repurposed malware. They also saw similar cryptocurrency address-modifying services peddled in dark web forums and websites.

Jigsaw Ransomware

Emerging as a file-encrypting malware in April 2016, Jigsaw pressured victims into paying the ransom by setting a time limit and incrementally deleting files. It has since evolved and matured, using tactics and business models that included incorporating live chat support and revamping its ransom notes (e.g., using images from the Saw films and Anonymous) and demands.

Given that Jigsaw’s source code has long been available online, it’s unsurprising that cybercriminals rehashed it into a malware that cashes in on cryptocurrency’s popularity. And Jigsaw isn't the only one to adapt to the times.

A recent example is the Rakhni trojan, which can deliver either a ransomware or cryptocurrency-mining malware depending on the affected system’s configurations. Trickbot, initially known as an information stealer, incorporated screen-locking capabilities typically associated with ransomware. Cerber ransomware also added cryptocurrency theft to its routines. Cybercriminals also used notorious exploits like EternalBlue to mine cryptocurrency. In 2017, cryptocurrency mining was the most detected network event in devices connected to home routers.

Tighten privacy and security settings: Protect cryptocurrency wallets and its contents from malware and unauthorized modification, such as multifactor authentication, split wallets and cold storage (keeping the funds offline).

Enforce defense in depth: For enterprises, actively monitor systems for anomalous activities and array security mechanisms at each layer of the organization’s network, servers, gateways, and endpoints.

2019 SECURITY PREDICTIONS

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.View the 2019 Security Predictions